CN114745180A - Access authentication method and device and computer equipment - Google Patents
Access authentication method and device and computer equipment Download PDFInfo
- Publication number
- CN114745180A CN114745180A CN202210373051.3A CN202210373051A CN114745180A CN 114745180 A CN114745180 A CN 114745180A CN 202210373051 A CN202210373051 A CN 202210373051A CN 114745180 A CN114745180 A CN 114745180A
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- authentication
- access
- data
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 104
- 238000012795 verification Methods 0.000 claims abstract description 65
- 238000004891 communication Methods 0.000 claims abstract description 46
- 230000004044 response Effects 0.000 claims abstract description 32
- 125000004122 cyclic group Chemical group 0.000 claims description 79
- 238000004422 calculation algorithm Methods 0.000 claims description 46
- 238000000605 extraction Methods 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 19
- 239000000284 extract Substances 0.000 claims description 7
- 238000010200 validation analysis Methods 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 abstract description 4
- 230000009977 dual effect Effects 0.000 abstract description 2
- 230000005540 biological transmission Effects 0.000 description 19
- 238000010586 diagram Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 13
- 238000001514 detection method Methods 0.000 description 6
- 238000012544 monitoring process Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000002457 bidirectional effect Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application relates to an access authentication method, an access authentication device and computer equipment. Firstly, the first end responds to a handshake request sent by the second end, and the first end executes digital certificate verification operation; if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end, the information authentication instruction is used for obtaining an access message of the second end, the first end authenticates the access message, if the access message passes the authentication, the first end sends a response message of successful authentication to the second end, and the response message represents that data communication between the first end and the second end is allowed. The method realizes the access authentication method based on the dual authentication mechanism of digital certificate authentication and access message authentication, can ensure the safe access of the second end, and effectively improves the communication safety between the first end and the second end.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access authentication method, an access authentication device, and a computer device.
Background
In recent years, with the key supervision and control of power information security, the importance of power grid information security is further clarified, and higher requirements are put on the security protection of key information infrastructures in the fields of energy, power and the like.
In an electric power system, in order to ensure the safety of power grid information, an established safety protection system usually adopts a boundary protection device to isolate different safety zones in an electric power monitoring system, when data communication is performed between service hosts of different safety zones, a data message is sent to the boundary protection device, and the data communication between different safety zones is completed by the boundary protection device.
However, when the service host and the boundary protection device perform data interaction in the power system, if the service host is connected to the boundary protection device forged by an attacker, or the attacker pretends to replace the service host to perform data communication with the boundary protection device, communication data may be leaked, which may seriously affect the communication security in the power system.
Disclosure of Invention
In view of the above, it is necessary to provide an access authentication method, an access authentication apparatus, and a computer device, which can prevent communication data from leaking and improve communication security in a power system.
In a first aspect, the present application provides an access authentication method, including:
the first end responds to the handshake request sent by the second end, and the first end executes digital certificate verification operation; the digital certificate verifying operation is used for verifying the legality of the first digital certificate of the first end and the second digital certificate of the second end;
if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end, and the information authentication instruction is used for acquiring an access message of the second end;
the first end authenticates the access message;
if the access message passes the authentication, the first end sends a response message of successful authentication to the second end; the response message indicates that data communication is allowed between the first end and the second end.
In one embodiment, the first end performs digital certificate validation operations, including:
the first end sends the first digital certificate to the second end to indicate the second end to verify the validity of the first digital certificate;
the first end receives a second digital certificate sent by the second end, and the second digital certificate is sent after the second end determines that the first digital certificate is legal;
the first end verifies the legality of the second digital certificate;
if the validity of the second digital certificate passes the verification, the first end determines that the first digital certificate and the second digital certificate are both valid.
In one embodiment, the first end sends the first digital certificate to the second end, including:
the first end encrypts the first reference digital certificate according to the public key of the second end to obtain a first digital certificate; the first reference digital certificate comprises identity information of the first terminal;
and sending the first digital certificate to the second terminal.
In one embodiment, the verifying the validity of the second digital certificate by the first terminal includes:
the first end decrypts the second digital certificate to obtain a second reference digital certificate; the second reference digital certificate comprises an identification and a digital signature of a certificate authority to which the second reference digital certificate belongs;
detecting whether the identification of the authentication center exists in a pre-stored authentication center trust list or not, and verifying the tampering state of the digital signature;
if the identification of the authentication center exists in the trust list of the authentication center and the tampering state of the digital signature is not tampered, detecting whether a second reference digital certificate exists in a revocation list of the authentication center;
and if the second reference digital certificate does not exist in the revocation list of the authentication center, determining that the validity of the second digital certificate passes verification.
In one embodiment, the second reference digital certificate further includes attribute information of the second end; verifying a tamper status of a digital signature, comprising:
the first end acquires a public key of the authentication center and decrypts the digital signature according to the public key of the authentication center to obtain a first hash value;
the first end calculates the attribute information according to a preset hash algorithm to obtain a second hash value;
and if the first hash value and the second hash value are the same, the first end determines that the tampering state of the digital signature is not tampered.
In one embodiment, the method further comprises:
if the first digital certificate and the second digital certificate are both legal, the first end establishes a connecting channel with the second end; the connection channel comprises a transmission protocol between the first end and the second end;
the first end receives the access message of the second end through the connecting channel.
In one embodiment, the access message includes access data and signature data; the second digital certificate comprises a public key of the second digital certificate; the first end authenticates the access packet, including:
the first end decrypts the signature data according to the public key of the second digital certificate to obtain first summary information;
the first end determines a digest extraction mode of the signature data, and extracts the digest of the access data through the digest extraction mode to obtain second digest information;
and comparing the first abstract information with the second abstract information, and if the first abstract information is the same as the second abstract information, determining that the access message passes the authentication by the first end.
In one embodiment, the access message includes access data and cyclic redundancy check data; the second digital certificate comprises a public key of the second digital certificate; the first end authenticates the access packet, including:
the first end decrypts the cyclic redundancy check data according to the public key of the second digital certificate to obtain a first cyclic redundancy check value;
the first end calculates the access data according to a preset check value generation method to obtain a second cyclic redundancy check value;
and comparing the first cyclic redundancy check value with the second cyclic redundancy check value, and if the first cyclic redundancy check value is the same as the second cyclic redundancy check value, determining that the access message passes the authentication by the first end.
In a second aspect, the present application further provides an access authentication apparatus, including:
the verification module is used for responding to the handshake request sent by the second end by the first end, and the first end executes the verification operation of the digital certificate; the digital certificate verifying operation is used for verifying the legality of the first digital certificate of the first end and the second digital certificate of the second end;
the first sending module is used for sending an information authentication instruction to the second end by the first end if the first digital certificate and the second digital certificate are both legal, wherein the information authentication instruction is used for acquiring an access message of the second end;
the authentication module is used for authenticating the access message by the first end;
the second sending module is used for sending a response message of successful authentication to the second end by the first end if the authentication of the access message passes; the response message indicates that data communication is allowed between the first end and the second end.
In a third aspect, an embodiment of the present application provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps of any one of the methods provided in the embodiments of the first aspect when executing the computer program.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of any one of the methods provided in the embodiments of the first aspect.
In a fifth aspect, the present application provides a computer program product, which includes a computer program that, when executed by a processor, implements the steps of any one of the methods provided in the embodiments of the first aspect.
According to the access authentication method, the access authentication device and the computer equipment, firstly, a first end responds to a handshake request sent by a second end, the first end executes digital certificate verification operation, if a first digital certificate and a second digital certificate are both legal, the first end sends an information authentication instruction to the second end, the information authentication instruction is used for obtaining an access message of the second end, the first end authenticates the access message, if the access message passes authentication, the first end sends a response message of successful authentication to the second end, and the response message indicates that data communication is allowed to be carried out between the first end and the second end. According to the method, the legality of a first digital certificate at a first end and a second digital certificate at a second end is verified through digital certificate verification operation, if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end to obtain an access message at the second end, then the first end authenticates the access message, and when the access message passes authentication, data communication can be carried out between the first end and the second end.
Drawings
FIG. 1a is a diagram of an application environment of an access authentication method in one embodiment;
fig. 1b is a schematic structural diagram of an access authentication method in an embodiment;
FIG. 2 is a flow diagram illustrating an access authentication method according to an embodiment;
fig. 3 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 4 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 5 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 6 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 7 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 8 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 9 is a flowchart illustrating an access authentication method according to another embodiment;
fig. 10 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 11 is a schematic structural diagram of an access authentication method in another embodiment;
fig. 12 is a flowchart illustrating an access authentication method according to another embodiment;
fig. 13 is a flowchart illustrating an access authentication method according to another embodiment;
fig. 14 is a flowchart illustrating an access authentication method according to another embodiment;
fig. 15 is a flowchart illustrating an access authentication method according to another embodiment;
fig. 16 is a flowchart illustrating an access authentication method according to another embodiment;
fig. 17 is a flowchart illustrating an access authentication method according to another embodiment;
fig. 18 is a flowchart illustrating an access authentication method according to another embodiment;
FIG. 19 is a block diagram of an access authentication device in one embodiment;
FIG. 20 is a diagram illustrating an internal structure of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The access authentication method provided by the embodiment of the present application can be used in an application environment as shown in fig. 1 a. Wherein the first end and the second end in fig. 1a each comprise at least one device, or at least one type of device; the first end and the second end may be directly or indirectly connected through a wired or wireless communication manner, which is not limited in this embodiment, the first end and the second end may be computer devices or terminal devices in any field, for example, including but not limited to smart phones, tablet computers, laptops, desktop computers, digital assistants, smart speakers, smart wearable devices, vehicle terminals, servers and other types of entity devices, and may also include software running in the entity devices, such as an application program and the like, but not limited to this, and the operating systems running on the first end and the second end may include but not limited to an android system, an IOS system, a linux system, a windows system and the like. The embodiment of the present application does not limit the types of the first end and the second end.
Based on fig. 1a, the first peer responds to the handshake request sent by the second peer, and then the second peer sends the handshake request to the first peer, that is, the second peer requests to establish a communication connection with the first peer; the first peer may also send a handshake request to the second peer requesting establishment of a communication connection with the second peer. The first end and the second end are only used for distinguishing different ends, and are not used for limiting other information.
The embodiment of the application provides an access authentication method, an access authentication device and computer equipment, which can prevent communication data from being leaked and improve communication safety in a power system.
The following describes in detail the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems by embodiments and with reference to the drawings. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application.
Before the embodiments of the present application are specifically described, the first and second ends of the embodiments of the present application are described. Referring to fig. 1b, a first end and a second end represent two different ends in an access authentication process, but specific reference ends of the first end and the second end are different according to different access request directions in the access authentication process, for example, when the access request direction in fig. 1b is a request of a service host for accessing a security protection device, the first end in this embodiment refers to the security protection device, and the second end refers to the service host; conversely, when the request access direction requests the security protection device to access the service host, the first end refers to the service host, and the second end refers to the security protection device.
The service host may be a device in each security zone in the power monitoring system, and the security protection device is a security gateway device in the power monitoring system.
It should be noted that, when the second terminal applies for accessing the first terminal, the digital certificate verification operation and the access message authentication process are involved, and the digital certificate verification process and the access message verification process are the same no matter the first terminal applies for accessing the second terminal or the second terminal applies for accessing the first terminal. Specifically, when the second terminal applies for accessing the first terminal, the first terminal executes the verification operation of the digital certificate and the authentication process of the access message; when the first end applies to access the second end, the second end executes the verification operation of the digital certificate and the authentication process of the access message.
The access authentication procedure is explained below by way of specific embodiments.
In an embodiment, an access authentication method is provided, as shown in fig. 2, the access authentication method is provided, where the embodiment relates to a specific process that a first end responds to a handshake request sent by a second end, verifies validity of a first digital certificate of the first end and a second digital certificate of the second end, and if both the first digital certificate and the second digital certificate are valid, the first end sends an information authentication instruction to the second end, where the information authentication instruction is used to obtain an access packet of the second end, and the first end authenticates the access packet, and if the access packet passes authentication, the first end sends a response packet that the authentication is successful to the second end, and the embodiment includes the following steps:
s201, the first end responds to the handshake request sent by the second end, and the first end executes the verification operation of the digital certificate; the digital certificate verifying operation is used for verifying the validity of the first digital certificate at the first end and the second digital certificate at the second end.
When the first end and the second end exchange information, the two ends exchange data by using a certain communication protocol, the process of the contact between the two ends is called as 'handshake', and when the second end needs to send data to the first end, the second end firstly sends a handshake request to the first end.
Optionally, the handshake request includes version information, a candidate list of encryption algorithms, a random number, an extension field, and other information.
After receiving the handshake request, the first end executes a digital certificate verification operation to verify the validity of the first digital certificate of the first end and the second digital certificate of the second end.
The digital certificate is a string of numbers which mark identity information of each communication party in internet communication, and provides a mode for verifying the identity of a communication entity on the internet, wherein the function of the digital certificate is similar to that of a driver's driving license or an identity card in daily life. It is issued by a Certificate Authority (CA) center and can identify the other party by a digital Certificate over the internet.
The digital certificate may be a Public Key Infrastructure (PKI) digital certificate, a 509 certificate, or the like, and the type of the digital certificate may be set according to the actual application requirement.
Optionally, the digital certificate comprises a public key, a name, and a digital signature of the certificate authority; specifically, the first digital certificate of the first end may include the public key of the first digital certificate and the identity information of the first end, and the like, and the second digital certificate of the second end may include the public key of the second digital certificate and the identity information of the second end, and the like.
The first end performing the digital certificate validation operation may be that the first end validates whether the certificate authority is legitimate.
In one embodiment, the first end may perform the digital certificate verification operation by taking the digital certificate as an input of a preset verification algorithm, and outputting the validity of the digital certificate by running the verification algorithm. Wherein the digital certificate comprises a first digital certificate at a first end and a second digital certificate at a second end.
In the scenario of fig. 3, the first end refers to the safety protection device, and the second end refers to the service host. Based on the scene, the service host sends a handshake request to the safety protection device, and the safety protection device executes a digital certificate verification operation after receiving the handshake request, wherein the digital certificate verification operation is an operation for verifying whether a first digital certificate of the safety protection device and a second digital certificate of the service host are legal or not; in practical application, the service host may be provided with an authentication client, and may access the network through the authentication client, so as to send a handshake request and a second digital certificate of the service host to the security protection device.
In the scenario of fig. 4, the first end refers to the traffic host and the second end refers to the safety device. Based on the scenario, the safety protection device sends a handshake request to the service host, and the service host executes a digital certificate verification operation after receiving the handshake request, where the digital certificate verification operation is an operation of verifying whether the first digital certificate of the service host and the first digital certificate of the safety protection device are legal.
The service host may be a device in each security zone in the power monitoring system, the security protection device may also be a security gateway device of the power monitoring system, and accordingly, the service host may be a device in the service system and the plant station system. The service System may include a scheduling automation master station System of the power monitoring System, an operation ticket System, and the like, the scheduling automation master station System includes a master station Operation Control System (OCS), an Automatic power generation Control (AGC) System, an Automatic Voltage Control (AVC) System, and the like, and the plant station System may include a substation, a power plant, and the like.
S202, if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end, and the information authentication instruction is used for acquiring an access message of the second end.
And if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end, and after the second end receives the information authentication instruction, the second end sends an access message to the first end.
The information authentication instruction may be a transmission signal, which is a signal instructing the second end to transmit an access packet to the first end, and the access packet may be a connection packet.
Optionally, the first end sends an information authentication instruction to the second end, and the sending mode may be a post or get mode; the first end acquires the access message of the second end, which may be acquired from the second end by the first end, or actively transmitted to the first end by the second end.
In the foregoing, the request access manners of the first end and the second end are different, and specific references also differ, so in the scenario of fig. 5, the first end refers to the safety protection device, and the second end refers to the service host. Based on the scene, the service host sends a handshake request to the safety protection device, the safety protection device executes digital certificate verification operation after receiving the handshake request, if the first digital certificate of the safety protection device and the second digital certificate of the service host are both legal, the safety protection device sends an information authentication instruction to the service host, and the service host sends an access message to the safety protection device after receiving the information authentication instruction.
In the scenario of fig. 6, the first end refers to the traffic host and the second end refers to the security device. Based on the scene, the safety protection device sends a handshake request to the service host, the service host executes digital certificate verification operation after receiving the handshake request, if the first digital certificate of the service host and the second digital certificate of the safety protection device are both legal, the service host sends an information authentication instruction to the safety protection device, and the safety protection device sends an access message to the service host after receiving the information authentication instruction.
S203, the first end authenticates the access message.
The message (message) is a data unit exchanged and transmitted in the network, that is, a data block to be sent by the station at one time; the message contains complete data information to be sent, the lengths of the message are quite different, and the length is not limited and is variable; the message is also a unit of network transmission, and can be continuously encapsulated into packets, packets and frames for transmission in the transmission process, and the encapsulation mode is to add some information sections, namely, data organized by a certain format of a message header.
The access message is a message when the second end applies for accessing the first end, and the authentication mode of the access message comprises the authentication of a traditional encryption mode, a message authentication code mode using a secret key, the authentication using a one-way hash function and a digital signature authentication mode; for example, if the access packet is authenticated by using a one-way Hash function, the one-way Hash function includes a Message Authentication Code (MAC), a cyclic redundancy check (crc), a Secure Hash Algorithm (SHA), and the like.
Optionally, the first end authenticates the access packet of the second end, and may verify whether the second end can obtain access to the first end.
S204, if the access message passes the authentication, the first end sends a response message of successful authentication to the second end; the response message indicates that data communication is allowed between the first end and the second end.
The access message authentication pass may indicate that the second peer has obtained access to the first peer, and the second peer may perform normal communication with the first peer.
If the access message passes the authentication, the second end is the trusted device, that is, the access authentication of the second end is successful, the first end sends a response message of successful authentication to the second end, and meanwhile, the second end can start normal communication with the first end.
The response message comprises a state line, a response header, a null line and a response packet body, wherein the state line comprises a HyperText Transfer Protocol (HTTP) version field, a state code and 3 parts of a description text of the state code, the state code comprises three digits, and if the response message indicates that the authentication is successful, the state code is 200 OK.
In the foregoing, the request access manners of the first end and the second end are different, and specific references also differ, so in the scenario of fig. 7, the first end refers to the safety protection device, and the second end refers to the service host. Based on the scene, the safety protection device authenticates the access message sent by the service host, if the access message passes the authentication, the safety protection device sends a response message indicating that the service host and the safety protection device can communicate normally to the service host.
In the scenario of fig. 8, the first end refers to the safety device and the second end refers to the safety device. Based on the scene, the service host authenticates the access message sent by the safety protection device, and if the access message passes the authentication, the service host sends a response message indicating that the safety protection device and the service host can communicate normally to the safety protection device.
If the access message is not authenticated, it indicates that the second end may be a device forged by an attacker, and in order to ensure security, the second end may actively disconnect the connection channel between itself and the first end to prevent the access of the first end, and the flow of the entire access authentication method ends. Meanwhile, the second end can reply a response message for rejecting the access to the first end.
In the access authentication method, first, the first end responds to a handshake request sent by the second end, the first end executes digital certificate verification operation, if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end, the information authentication instruction is used for acquiring an access message of the second end, the first end authenticates the access message, if the access message passes authentication, the first end sends a response message of successful authentication to the second end, and the response message indicates that data communication is allowed to be performed between the first end and the second end. According to the method, the legality of a first digital certificate of a first end and a second digital certificate of a second end is verified through digital certificate verification operation, if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end to obtain an access message of the second end, then the first end authenticates the access message, and when the access message passes authentication, data communication can be carried out between the first end and the second end.
In one embodiment, as shown in fig. 9, the first end performs a digital certificate validation operation, including the steps of:
s901, the first end sends the first digital certificate to the second end to indicate the second end to verify the validity of the first digital certificate.
Based on the above embodiment, after the first end receives the handshake request sent by the second end, the first end sends the first digital certificate to the second end, and after the second end receives the first digital certificate, the second end verifies the validity of the first digital certificate.
The first digital certificate is a digital certificate of the first end, and the first digital certificate comprises identity information of the first end.
The digital certificate is dependent on a trust transfer mechanism of a root certificate, so that the validity of the digital certificate is verified, and a superior certificate of the digital certificate is required to participate in verification; in addition to the root certificate, each digital certificate contains a signature on it by its superior certificate, i.e., a certificate digest (abbreviated as H1) is encrypted with the private key of the superior certificate.
Therefore, the method for verifying the validity of the digital certificate may be: verifying whether the root certificate is a trusted root certificate and whether a certificate digest (H2) decrypted by each digital certificate in a lower certificate chain is consistent with a digest (H1) calculated by the content of the certificate; if H2 is consistent with H1, the digital certificate is legal, otherwise, the digital certificate is determined to be illegal; the certificate digest (H2) decrypted by the digital certificate is decrypted by using the public key of the upper certificate.
And S902, the first end receives a second digital certificate sent by the second end, and the second digital certificate is sent after the second end determines that the first digital certificate is legal.
And when the second end determines that the first digital certificate is legal, the second digital certificate is sent to the first end, and the first end receives the second digital certificate.
The second digital certificate is a digital certificate of the second end, and the second digital certificate comprises identity information of the second end.
And S903, the first end verifies the legality of the second digital certificate.
After receiving the second digital certificate, the first end may check the validity of the second digital certificate, where the checking mode may be the same as the mode for verifying the first digital certificate, and is not described herein again.
S904, if the validity of the second digital certificate is verified, the first end determines that the first digital certificate and the second digital certificate are both legal.
If the validity of the second digital certificate is verified, the second digital certificate is sent to the first end only after the second end verifies the validity of the first digital certificate, so that the first end can determine that the first digital certificate and the second digital certificate are both legal if the validity of the second digital certificate is verified.
In the foregoing, the request access manners of the first end and the second end are different, and specific references also differ, so in the scenario of fig. 10, the first end refers to the safety protection device, and the second end refers to the service host. Based on the scenario, the service host sends a handshake request to the safety protection device, and the safety protection device executes a digital certificate verification operation after receiving the handshake request, wherein the digital certificate verification operation includes: the safety protection equipment sends a first digital certificate to the service host, the service host verifies the validity of the first digital certificate, if the first digital certificate is legal, the service host sends a second digital certificate to the safety protection equipment, the safety protection equipment verifies the validity of the second digital certificate, and if the second digital certificate is legal, the first digital certificate of the safety protection equipment and the second digital certificate of the service host are both determined to be legal.
In the scenario of fig. 11, the first end refers to the service host and the second end refers to the safety device. Based on the scenario, the safety protection device sends a handshake request to the service host, and the service host executes a digital certificate verification operation after receiving the handshake request, wherein the digital certificate verification operation includes: the method comprises the steps that a service host sends a first digital certificate to a safety protection device, the safety protection device verifies the validity of the first digital certificate, if the first digital certificate is legal, the safety protection device sends a second digital certificate to the service host, the service host verifies the validity of the second digital certificate, and if the second digital certificate is legal, it is determined that the first digital certificate of the service host and the second digital certificate of the safety protection device are both legal.
In the access authentication method, the first end sends the first digital certificate to the second end to indicate the second end to verify the validity of the first digital certificate, the first end receives the second digital certificate sent by the second end, the second digital certificate is sent after the second end determines that the first digital certificate is legal, the first end verifies the validity of the second digital certificate, and if the validity verification of the second digital certificate passes, the first end determines that both the first digital certificate and the second digital certificate are legal. In the method, the first digital certificate of the first end and the second digital certificate of the second end are legally verified, so that the communication safety between the first end and the second end is improved.
In one embodiment, as shown in fig. 12, the first end sends the first digital certificate to the second end, including the following steps:
s1201, the first end encrypts the first reference digital certificate according to the public key of the second end to obtain a first digital certificate; the first reference digital certificate includes identity information of the first end.
In order to avoid the leakage of the digital certificates, the first end and the second end can send respective digital certificates to each other by using an encryption algorithm.
Before the first end sends the first digital certificate to the second end, the first end needs to encrypt the first reference digital certificate according to the public key of the second end to obtain the first digital certificate. The first reference certificate includes identity information of the first end, and is capable of uniquely identifying the first end.
The method for encrypting the first reference digital certificate may be that the first end encrypts the first parameter digital certificate by using an encryption algorithm and a public key of the second end to obtain the encrypted first reference digital certificate, that is, the first digital certificate. The encryption algorithm includes a symmetric algorithm and an asymmetric algorithm, and it should be noted that the type of the encryption algorithm is not limited in the embodiment of the present application.
And S1202, sending the first digital certificate to a second end.
And after the first terminal obtains the first digital certificate, the first terminal sends the first digital certificate to the second terminal, wherein optionally, the sending mode can be sent by a get or post method.
Please continue to refer to fig. 10 and 11.
In the scenario of fig. 10, the security protection device encrypts the first reference digital certificate of the security protection device according to the public key of the service host to obtain a first digital certificate, and then the security protection device sends the first digital certificate to the service host.
In the scenario of fig. 11, the service host encrypts the first reference digital certificate of the service host according to the public key of the security protection device to obtain a first digital certificate, and then the service host sends the first digital certificate to the security protection device.
In the access authentication method, the first end encrypts the first reference digital certificate according to the public key of the second end to obtain a first digital certificate; the first reference digital certificate comprises identity information of the first terminal; and sending the first digital certificate to the second terminal. In the method, the first end encrypts the first reference digital certificate and sends the encrypted first digital certificate to the second end, so that the communication security between the first end and the second end is ensured.
In one embodiment, as shown in fig. 13, the first end verifies the validity of the second digital certificate, including the following steps:
s1301, the first end decrypts the second digital certificate to obtain a second reference digital certificate; the second reference digital certificate includes an identification of a certificate authority to which the second reference digital certificate belongs and a digital signature.
And the first end decrypts the second digital certificate in a decryption mode, wherein the decryption mode is that the first end decrypts the second digital certificate according to the private key of the first end and a corresponding decryption algorithm when encrypting the second digital certificate to obtain a second reference digital certificate.
The second reference digital certificate comprises an identification and a digital signature of the certificate authority to which the second reference digital certificate belongs, and the identification of the certificate authority to which the second reference digital certificate belongs represents an issuing organization of the second reference digital certificate.
S1302, detecting whether the identification of the authentication center exists in a pre-stored trust list of the authentication center, and verifying the tampering state of the digital signature.
The first end stores a trust list of an authentication center in advance, the trust list of the authentication center comprises an identifier of the authentication center which the first end can trust, and the second reference digital certificate comprises an identifier of the authentication center to which the second reference digital certificate belongs and a digital signature.
Therefore, when the validity of the second reference digital certificate is verified, firstly, whether the identification of the certification center to which the second reference digital certificate belongs exists in the pre-stored trust list of the certification center is detected, and the tampering state of the digital signature is verified.
In one embodiment, as shown in fig. 14, the second reference digital certificate further includes attribute information of the second end; verifying a tamper status of a digital signature, comprising the steps of:
s1401, the first end obtains the public key of authentication center, and deciphers the digital signature according to the public key of authentication center, obtains first hash value.
The second reference digital certificate comprises the identification of the certification center to which the second reference digital certificate belongs, so that the first end acquires the public key of the certification center from the certification center according to the identification of the certification center.
The first end can decrypt the digital signature according to the public key of the authentication center after acquiring the public key of the authentication center, and the decryption mode can decrypt the digital signature by adopting a preset decryption algorithm according to the public key of the authentication center to obtain a hash value, and the hash value is determined as a first hash value.
And S1402, the first end calculates the attribute information according to a preset hash algorithm to obtain a second hash value.
The binary string with any length is mapped into the binary string with fixed length, the mapping rule is hash algorithm, and the binary string obtained after mapping the original data is hash value.
Therefore, the attribute information is calculated according to a preset hash algorithm to obtain a hash value, and the hash value is determined as a second hash value.
The hash algorithm includes an SHA algorithm, a message digest algorithm, and the like, and it should be noted that the type of the hessian algorithm is not limited in any way in the embodiment of the present application.
S1403, if the first hash value is the same as the second hash value, the first end determines that the tampered state of the digital signature is not tampered.
The digital signature is obtained according to the attribute information of the second end, and the digital signature is decrypted to obtain a first hash value; calculating the attribute information by using a preset hash algorithm to obtain a second hash value, wherein if the first hash value is different from the second hash value, the digital signature is changed, and the tampering state of the digital signature is determined to be tampered; and if the first hash value and the second hash value are the same, the first end determines that the tampering state of the digital signature is not tampered.
S1303, if the identification of the authentication center exists in the trust list of the authentication center and the tampering state of the digital signature is not tampered, detecting whether a second reference digital certificate exists in the revocation list of the authentication center.
The certificate authority is an issuing authority of a certificate, the certificate authority is an authoritative, trusted and fair authority in Public Key Infrastructure (PKI) application, must have authoritative characteristics, is the core of a PKI system, is also a trust foundation of the PKI, and manages the whole life cycle of a Public Key. The Certificate authority has a main role in issuing and managing digital certificates, and relates to the whole life cycle of a digital Certificate, including issuing a Certificate, specifying the validity period of the Certificate, and revoking the Certificate if necessary by issuing a Certificate Revocation List (CRL), which is also called a Certificate Revocation list or Certificate blacklist.
Therefore, if the identity of the certificate authority to which the second reference digital certificate belongs exists in the certificate authority trust list of the first end and the tampered state of the digital signature is not tampered, it is necessary to continuously detect whether the second reference digital certificate exists in the revocation list of the certificate authority.
S1304, if the second reference digital certificate does not exist in the revocation list of the certificate authority, determining that the validity of the second digital certificate is verified.
If the second reference digital certificate does not exist in the revocation list of the certificate authority to which the second reference digital certificate belongs, the second reference digital certificate is not in the certificate blacklist of the certificate authority or the second reference digital certificate is within the validity period of the specified certificate.
Therefore, if the second reference digital certificate does not exist in the revocation list of the certificate authority to which the second reference digital certificate belongs, the validity of the second digital certificate is determined to pass the verification; the validity of the second digital certificate passes verification, that is, the identification of the certificate authority exists in the trust list of the certificate authority, the tampered state of the digital signature is not tampered, and the revocation list of the certificate authority does not have the second reference digital certificate.
In one embodiment, if the identification of the certificate authority does not exist in the trust list of the certificate authority, the tampered state of the digital signature is tampered, or a second reference digital certificate exists in the revocation list of the certificate authority, and any one of the three is satisfied, the validity verification of the second digital certificate is not passed.
If the first end judges that the validity verification of the second digital certificate is not passed, the second end sending the second digital certificate is considered to be a forged end of an attacker, and therefore, in order to guarantee safety, the first end can actively disconnect a connecting channel between the first end and the second end.
In the access authentication method, the first end decrypts the second digital certificate to obtain a second reference digital certificate, the second reference digital certificate includes an identifier of an authentication center to which the second reference digital certificate belongs and a digital signature, detects whether the identifier of the authentication center exists in a pre-stored trust list of the authentication center, and verifies a tampering state of the digital signature, detects whether the second reference digital certificate exists in a revocation list of the authentication center if the identifier of the authentication center exists in the trust list of the authentication center and the tampering state of the digital signature is not tampered, and determines that the validity verification of the second digital certificate passes if the second reference digital certificate does not exist in the revocation list of the authentication center. In the method, the communication security between the first end and the second end is improved by detecting the identification of the authentication center to which the second digital certificate belongs, the tampering state of the digital signature and whether the second digital certificate is in a revocation list of the authentication center.
Optionally, the manner of verifying the validity of the first digital certificate may be the same as the manner of verifying the validity of the second digital certificate, and details are not repeated here.
If the second end determines that the validity verification of the first digital certificate does not pass, the first end sending the first digital certificate can be considered to be a forged end of an attacker, and therefore, in order to ensure the safety, the second end can actively disconnect the connection channel between the second end and the first end.
In one embodiment, as shown in fig. 15, this embodiment includes the steps of:
s1501, if the first digital certificate and the second digital certificate are both legal, the first end constructs a connecting channel with the second end; the connection channel includes a transport protocol between the first end and the second end.
If the first digital certificate and the second digital certificate are both legal, the first end sending the first digital certificate can be considered to be trusted, and the second end sending the second digital certificate can be considered to be trusted, i.e. the two-way digital certificate is verified.
When the two-way digital certificate is verified, the first end may establish a secure connection channel between itself and the second end, and the connection channel may be established by the first end sending a transmission protocol between the first end and the second end to the second end.
Alternatively, the type of the connection channel may be determined according to actual situations, for example, the connection channel may be a Transport Layer Protocol (TLS) connection channel, a Transmission Control Protocol (TCP) connection channel, and a Secure Socket Layer (SSL) connection channel.
The first end constructs a safe connection channel with the second end, so that the reliability and the safety of message transmission between the first end and the second end can be ensured.
S1502, the first end receives the access packet of the second end through the connection channel.
And constructing a connection channel between the first end and the second end based on the first end, wherein after the second end receives the information of constructing the connection channel sent by the first end, the second end sends an access message to the first end through the connection channel.
After the connection channel between the first end and the second end is constructed, the second end can acquire access data and generate an access message based on the access data, and the access message can be obtained by signing the access data through a private key of a second digital certificate of the second end; the access data is access authentication request data sent by the second end to the first end.
In the access authentication method, if the first digital certificate and the second digital certificate are both legal, the first end establishes a connection channel with the second end; the connection channel comprises a transmission protocol between the first end and the second end, and the first end receives the access message of the second end through the connection channel. In the method, before access authentication is carried out, a digital certificate is exchanged between the first end and the second end and bidirectional digital certificate authentication is carried out, after the bidirectional authentication is passed, a connecting channel between the first end and the second end is constructed by the first end to receive an access message of the second end, so that the legality of equipment of both sides can be effectively ensured, and the safety of the access authentication process can be effectively ensured.
In one embodiment, as shown in fig. 16, the access message includes access data and signature data; the second digital certificate comprises a public key of the second digital certificate; the first end authenticates the access packet, including:
s1601, the first end decrypts the signature data according to the public key of the second digital certificate to obtain the first summary information.
And after the first end passes the validity verification of the second digital certificate, the first end stores the second digital certificate and acquires the public key of the second digital certificate from the second digital certificate.
The access message comprises access data and signature data; and the signature data is obtained by the second end through signature according to the access data and the private key of the second digital certificate.
The generation mode of the signature data may be that the second end extracts the digest of the access message according to a digest extraction mode predetermined with the first end to obtain digest information of the access message, and encrypts the digest information of the access message by using a private key of the second digital certificate, where the encryption processing mode is to encrypt the digest information based on an encryption algorithm predetermined with the first end and generate encrypted digest information, that is, signature data.
The Digest extraction method may be set according to actual application requirements, for example, the Digest algorithm (Digest) is divided into a Message Digest algorithm (MD), a secure hash algorithm, and a Message Authentication Code (MAC); the encryption algorithm can also be set according to the actual application requirements, such as a block cipher algorithm, an elliptic curve public key cipher algorithm, a hash algorithm and the like; the present embodiment does not set any limit to the digest extraction method and the type of encryption algorithm.
After the second end obtains the signature data, the access data and the signature data are sent to the first end as access messages; after receiving the access message, the first end firstly decrypts the signature data according to the public key of the second digital certificate to obtain the first summary information.
When the signature data is decrypted, the decryption algorithm adopted is the decryption algorithm agreed by the first end and the second end in advance, and is the decryption algorithm corresponding to the encryption algorithm adopted when the second end obtains the signature data.
If the first end successfully decrypts the signature data, the access message is sent by the second end, and if the signature data cannot be decrypted, the access message is not sent by the second end; if the access message is determined not to be sent by the second end, the first end may actively disconnect the connection channel with the second end.
And S1602, the first end determines a digest extraction mode of the signature data, and extracts the digest of the access data through the digest extraction mode to obtain second digest information.
If the first end successfully decrypts the signature data of the access message according to the public key of the second digital certificate to obtain the first abstract information, the first end extracts the abstract of the access data in the access message according to an abstract extraction mode predetermined with the second end to obtain the second abstract information.
It should be noted that the digest extraction method corresponding to the second digest information is the same as the digest extraction method for obtaining the signature data, and is a digest extraction method agreed in advance by the first end and the second end, and the digest extraction method is not limited in this embodiment of the present application.
S1603, comparing the first abstract information with the second abstract information, and if the first abstract information is the same as the second abstract information, the first end determines that the access packet is authenticated.
Comparing the obtained first abstract information with the second abstract information, if the first abstract information is the same as the second abstract information, indicating that the access data is not tampered, and determining that the access message passes the authentication by the first end; if the first summary information and the second summary information are not the same, the access data is tampered.
In the access authentication method, the first end decrypts the signature data according to the public key of the second digital certificate to obtain first abstract information, determines an abstract extraction mode of the signature data, extracts the abstract of the access data through the abstract extraction mode to obtain second abstract information, compares the first abstract information with the second abstract information, and if the first abstract information is the same as the second abstract information, determines that the access message passes authentication. In the method, the access data in the access message is authenticated, and the communication safety between the first end and the second end is ensured.
In one embodiment, as shown in fig. 17, the access message includes access data and cyclic redundancy check data; the second digital certificate comprises a public key of the second digital certificate; the first end authenticates the access message, including the following steps:
s1701, the first end decrypts the crc data according to the public key of the second digital certificate to obtain a first crc value.
And after the first end passes the validity verification of the second digital certificate, the first end stores the second digital certificate and acquires the public key of the second digital certificate from the second digital certificate.
The access message comprises access data and cyclic redundancy check data; and the cyclic redundancy check data is generated by the second terminal according to the access data and the private key of the second digital certificate.
Cyclic Redundancy Check (CRC), a channel coding technique for generating short fixed-bit parity codes based on data such as network packets or computer files, is mainly used to detect or Check errors that may occur after data transmission or storage, and uses the principles of division and remainder to detect errors.
No matter how perfect the design of the transmission system is, errors always exist in the data transmission process, and the errors may cause one or more frames transmitted on the link to be damaged (bit errors occur, 0 becomes 1, or 1 becomes 0), so that the receiver receives wrong data; in order to improve the correctness of the data received by the receiver as much as possible, the data needs to be subjected to error detection before the receiver receives the data, and the receiver really receives the data only when the detection result is correct.
There are many ways of detection, and parity check, internet check, cyclic redundancy check, etc. are common. Cyclic redundancy check is a calculation method for checking the accuracy of digital transmission on a communication link, and the agreed relationship between data bits and check bits is established through some mathematical operation; the sender computer calculates a value of information contained in the transmitted data using a formula, and after attaching the value to the transmitted data, the receiver computer performs the same calculation on the same data, and should obtain the same result. If the two CRC results are not identical, indicating an error in the transmission, the receiving computer may request the transmitting computer to retransmit the data.
Therefore, the second end can send the access message with the cyclic redundancy check data to the first end, and whether the access message sent by the second end is tampered or not is determined by verifying the cyclic redundancy check data.
The access message sent by the second end to the first end comprises access data and cyclic redundancy check data, wherein the cyclic redundancy check data can be generated in a mode that the second end adopts a check value generation mode agreed with the first end in advance to calculate a cyclic redundancy check value of the access data, and meanwhile, the cyclic redundancy check value of the access data is encrypted by using a private key of a second digital certificate, and the encryption processing mode is that an encrypted cyclic redundancy check value, namely the cyclic redundancy check data, is generated by encrypting based on an encryption algorithm preset by the second end and the first end.
The check value generation manner may be set according to actual application requirements, for example, a CRC method may be adopted, and the encryption algorithm may be the same as the limited content of the above embodiment, which is not described herein again.
After the second end obtains the cyclic redundancy check data, the access data and the cyclic redundancy check data are sent to the first end as access messages; after receiving the access message, the first end firstly decrypts the cyclic redundancy check data according to the public key of the second digital certificate to obtain a first cyclic redundancy check value.
When the cyclic redundancy check data is decrypted, the decryption algorithm adopted is the decryption algorithm which is agreed in advance by the first end and the second end, and the decryption algorithm is the decryption algorithm corresponding to the encryption algorithm adopted when the cyclic redundancy check data is obtained by the second end.
If the first end successfully decrypts the cyclic redundancy check data, the access message is sent by the second end, and if the cyclic redundancy check data cannot be decrypted, the access message is not sent by the second end; if the access message is determined not to be sent by the second end, the first end may actively disconnect the connection channel with the second end.
And S1702, the first end calculates the access data according to a preset check value generation method to obtain a second cyclic redundancy check value.
If the first end successfully decrypts the cyclic redundancy check data of the access message according to the public key of the second digital certificate to obtain the first cyclic redundancy check value, the first end calculates the access data in the access message according to a check value generation method agreed with the second end in advance to obtain the second cyclic redundancy check value.
It should be noted that the method for generating the check value corresponding to the second cyclic redundancy check value is the same as the method for generating the check value corresponding to the cyclic redundancy check data, and is a method for generating the check value that is agreed in advance by the first end and the second end.
S1703, comparing the first cyclic redundancy check value with the second cyclic redundancy check value, and if the first cyclic redundancy check value is the same as the second cyclic redundancy check value, the first end determines that the access packet is authenticated.
Comparing the obtained first cyclic redundancy check value with the obtained second cyclic redundancy check value, if the first cyclic redundancy check value is the same as the second cyclic redundancy check value, indicating that the access data is not tampered, and determining that the access message passes the authentication by the first end; and if the first cyclic redundancy check value and the second cyclic redundancy check value are not the same, the access data is tampered.
In the access authentication method, the first end decrypts the cyclic redundancy check data according to the public key of the second digital certificate to obtain a first cyclic redundancy check value; the first end calculates the access data according to a preset check value generation method to obtain a second cyclic redundancy check value; comparing the first cyclic redundancy check value with the second cyclic redundancy check value; and if the first cyclic redundancy check value is the same as the second cyclic redundancy check value, the first end determines that the access message passes the authentication. In the method, the access data in the access message is authenticated, and the communication safety between the first end and the second end is ensured.
In one embodiment, the first end analyzes the access message, determines a data transmission protocol corresponding to the access message, checks the sequence of the access message according to the data transmission protocol, and corrects the message with incorrect sequence; in practical application, when the first end sends a plurality of access messages to the second end, the delivery sequence of each access message may be different from the sending sequence, and at this time, the sequence of the access messages may be checked according to the data transmission protocol, and the messages with wrong sequences may be corrected.
In one embodiment, the first end adds the second end to the white list when the access message is authenticated. And providing network service for the second end passing the access authentication by using a white list mode. And when the second terminal is offline, the second terminal is removed from the white list, and when the second terminal is accessed again, the access authentication needs to be carried out again.
Illustratively, when the second end and the first end communicate normally, if the first end acquires the message sent by the second end, it may be determined whether the second end is in the white list, if so, the message is received normally and the corresponding security analysis and issuing are performed on the message, and if not, the issuing of the message is blocked.
In one embodiment, taking the first end as the safety protection device and the second end as the service host as an example, by exchanging a digital certificate with the service host, performing two-way digital certificate verification, and performing signature verification on an access message sent by the service host, allowing the service host to access the service host through signature verification, an access authentication scheme based on an identity signature verification and command signature verification dual signature verification mechanism is realized, and the safety access of the service host can be ensured, so that the communication safety degree between the service host and the safety protection device is effectively improved, and the communication risk brought to the service host and the safety protection device by key leakage or lack of the identity authentication mechanism is avoided.
In an embodiment, for example, the first end uses the security protection device, the second end uses the service host, and the access message as the access authentication request message, as shown in fig. 18, the embodiment includes:
s1801, after receiving the handshake request sent by the service host, the security device sends a second digital certificate of the security device to the service host, so that the service host verifies the second digital certificate.
The second digital certificate comprises identity information of the safety protection equipment;
before the security protection device sends the second digital certificate to the service host, the public key of the service host can be used for encrypting the second digital certificate;
before the business host verifies the second digital certificate, the second digital certificate is decrypted through a private key of the business host;
the verifying the second digital certificate by the service host may include: determining whether the second digital certificate is issued by a certificate authority, tampered and in a revocation list; if the second digital certificate is issued by a certificate authority, is not tampered and is not in a revocation list, determining that the second digital certificate is verified;
the verification mode is related to the type of the certificate, and the type of the certificate comprises a Public Key InfraStructure (PKI) digital certificate, a 509 certificate and the like;
s1802, after the business host passes the verification of the second digital certificate, the business host sends a first digital certificate to the safety protection device; and after the safety protection equipment receives the first digital certificate, verifying the first digital certificate.
Wherein the first digital certificate comprises identity information of the service host.
Before the service host sends the first digital certificate to the safety protection equipment, the public key of the safety protection equipment is used for encrypting the first digital certificate; before the safety protection equipment verifies the first digital certificate, the first digital certificate is decrypted by using a private key of the safety protection equipment; verifying the first digital certificate of the service host may include: determining whether the first digital certificate is issued by a certificate authority, tampered and in a revocation list; and if the first digital certificate is issued by a certificate authority, is not tampered and is not in a revocation list, judging that the first digital certificate is verified.
S1803, if the service host determines that the second digital certificate is verified, and the security protection device determines that the first digital certificate is verified, it is determined that the bidirectional digital certificate is verified.
And the safety protection equipment stores a first digital certificate of the service host and acquires a public key of the first digital certificate, and the service host stores a second digital certificate of the safety protection equipment and acquires a public key of the second digital certificate.
If the service host judges that the second digital certificate is not verified, the service host disconnects a connecting channel between the service host and the safety protection equipment; and if the safety protection equipment judges that the first digital certificate is not verified, the safety protection equipment disconnects the connection channel with the service host.
S1804, the safety protection device constructs a safety connection channel between itself and the service host.
The secure connection channel may be a TranSport Layer Protocol (TLS) connection channel or a TranSmiSSion Control Protocol (TCP) connection channel.
S1805, the service host sends an access authentication request message to the security protection device based on the security connection channel.
S1806, the security protection device authenticates the access authentication request message by using the public key of the first digital certificate.
And if the access authentication request message comprises the access authentication data and the signature data, the safety protection equipment authenticates the access authentication request message by using the public key of the first digital certificate.
The signature data is obtained by signing the access authentication data according to a private key of a first digital certificate of the service host.
The specific way of obtaining the signature data is as follows: the method comprises the steps of extracting a summary of access authentication data by using a HASH algorithm (a summary extraction mode) to obtain first summary information, and encrypting the first summary information by using a private key of a first digital certificate to obtain encrypted summary information, namely signature data.
Specifically, the label checking mode is as follows: the safety protection equipment decrypts the signature data in the access authentication request message by using the public key of the first digital certificate to obtain first summary information; the safety protection equipment extracts the access authentication data in the access authentication request message based on the abstract extraction mode (the mode agreed in advance) corresponding to the signature data to obtain second abstract information; comparing the first abstract information with the second abstract information; if the first abstract information is the same as the second abstract information and indicates that the access authentication data is not tampered, determining that the access authentication request message passes the verification of the access authentication request message; otherwise, the label check is not passed.
And if the access authentication request message comprises access authentication data and cyclic redundancy check data, the safety protection equipment checks the access authentication request message by using the public key of the first digital certificate.
The cyclic redundancy check data is obtained by the service host computer calculating a first cyclic redundancy check value according to the access authentication data according to a preset check value generation mode, and meanwhile, the private key of the first digital certificate is utilized to encrypt the first cyclic redundancy check value based on a preset encryption algorithm to generate an encrypted cyclic redundancy check value.
The label checking mode is as follows: the safety protection equipment decrypts the cyclic redundancy check data by using the public key of the first digital certificate and a predetermined decryption algorithm to obtain a first cyclic redundancy check value; the safety protection equipment obtains a second cyclic redundancy check value according to a predetermined check value generation mode and access authentication data; the first cyclic redundancy check value and the second cyclic redundancy check value are the same and indicate that the access authentication data is not tampered, and the access authentication request message is confirmed to pass the verification; otherwise, the label check is not passed.
S1807, when the access authentication request message passes the authentication, a response message of successful access authentication is sent to the service host; and when the access authentication request message fails to pass the verification, sending a response message of access authentication failure to the service host.
When the access authentication request message passes the verification, the service host is allowed to access, a response message of successful access authentication is sent to the service host, and meanwhile, the safety protection equipment can start normal communication with the service host; when the access authentication request message fails in the verification, the safety protection device can actively disconnect the connection channel between the safety protection device and the service host, and send a response message (reply message of refusing access) of access authentication failure to the service host.
In addition, when the access authentication request message passes the verification, the safety protection equipment adds the service host to the white list.
The white list mode can be used for providing network service for the service host passing the access authentication. And when the service host is offline, removing the service host from the white list, and when the service host is accessed again, performing access authentication again.
When the service host and the safety protection device are in normal communication, if the safety protection device obtains the message sent by the service host, whether the service host is in the white list can be judged, if yes, the message is normally received and is subjected to corresponding safety analysis, issuing and other processing, and if not, the issuing of the message is blocked.
For specific limitations of the access authentication method provided in this embodiment, reference may be made to the above step limitations of each embodiment in the access authentication method, which is not described herein again.
It should be understood that, although the respective steps in the flowcharts attached in the above-described embodiments are sequentially shown as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the figures attached to the above-mentioned embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
In one embodiment, as shown in fig. 19, an embodiment of the present application further provides an access authentication apparatus 1900, where the apparatus 1900 includes: a verification module 1901, a first sending module 1902, an authentication module 1903, and a second sending module 1904, wherein:
a verification module 1901, configured to, in response to the handshake request sent by the second peer, perform a digital certificate verification operation by the first peer; the digital certificate verifying operation is used for verifying the legality of the first digital certificate of the first end and the second digital certificate of the second end;
a first sending module 1902, configured to send, if the first digital certificate and the second digital certificate are both legal, an information authentication instruction to the second end, where the information authentication instruction is used to obtain an access packet of the second end;
an authentication module 1903, configured to authenticate the access packet by the first end;
a second sending module 1904, configured to send, if the access packet passes authentication, a response packet indicating that authentication is successful from the first end to the second end; the response message indicates that data communication is allowed between the first end and the second end.
In one embodiment, the verification module 1901 includes:
the first sending unit is used for sending the first digital certificate to the second end by the first end so as to indicate the second end to verify the validity of the first digital certificate;
the second sending unit is used for receiving a second digital certificate sent by the second end by the first end, wherein the second digital certificate is sent after the second end determines that the first digital certificate is legal;
the verification unit is used for verifying the legality of the second digital certificate by the first end;
and the first end is used for determining that the first digital certificate and the second digital certificate are both legal if the validity verification of the second digital certificate is passed.
In one embodiment, the first sending unit comprises:
the encryption subunit is used for the first end to encrypt the first reference digital certificate according to the public key of the second end to obtain a first digital certificate; the first reference digital certificate comprises identity information of the first terminal;
and the first sending subunit is used for sending the first digital certificate to the second end.
In one embodiment, the verification unit includes:
the first decryption subunit is used for decrypting the second digital certificate by the first end to obtain a second reference digital certificate; the second reference digital certificate comprises an identification and a digital signature of a certificate authority to which the second reference digital certificate belongs;
the first detection subunit is used for detecting whether the identification of the authentication center exists in a pre-stored authentication center trust list or not and verifying the tampering state of the digital signature;
the second detection subunit is configured to detect whether a second reference digital certificate exists in the revocation list of the certificate authority if the identifier of the certificate authority exists in the trust list of the certificate authority and the tampering state of the digital signature is not tampered;
and the first determining subunit is used for determining that the validity verification of the second digital certificate passes if the second reference digital certificate does not exist in the revocation list of the authentication center.
In one embodiment, the first detection subunit includes:
the second decryption subunit is used for the first end to acquire the public key of the authentication center and decrypt the digital signature according to the public key of the authentication center to obtain a first hash value;
the calculating subunit is used for calculating the attribute information by the first end according to a preset hash algorithm to obtain a second hash value;
and the second determining subunit is used for determining that the tampering state of the digital signature is not tampered by the first end if the first hash value is the same as the second hash value.
In one embodiment, the apparatus 1900 further comprises:
the building module is used for building a connecting channel between the first end and the second end if the first digital certificate and the second digital certificate are both legal; the connection channel comprises a transmission protocol between the first end and the second end;
and the receiving module is used for receiving the access message of the second end by the first end through the connecting channel.
In one embodiment, the authentication module 1903 includes:
the first decryption unit is used for decrypting the signature data by the first end according to the public key of the second digital certificate to obtain first summary information;
the extraction unit is used for determining an abstract extraction mode of the signature data by the first end and extracting an abstract of the access data in the abstract extraction mode to obtain second abstract information;
and the second determining unit is used for comparing the first abstract information with the second abstract information, and if the first abstract information is the same as the second abstract information, the first end determines that the access message passes the authentication.
In one embodiment, the authentication module 1903 includes:
the second decryption unit is used for decrypting the cyclic redundancy check data by the first end according to the public key of the second digital certificate to obtain a first cyclic redundancy check value;
the calculation unit is used for calculating the access data by the first end according to a preset check value generation method to obtain a second cyclic redundancy check value;
and the third determining unit is used for comparing the first cyclic redundancy check value with the second cyclic redundancy check value, and if the first cyclic redundancy check value is the same as the second cyclic redundancy check value, the first end determines that the access message passes the authentication.
For specific limitations of the access authentication device, reference may be made to the above limitations of each step in the access authentication method, which is not described herein again. The modules in the access authentication device may be wholly or partially implemented by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a target device, and can also be stored in a memory of the target device in a software form, so that the target device can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, as shown in fig. 20, comprising a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement an access authentication method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the structural description of the computer apparatus described above is only a partial structure relevant to the present application, and does not constitute a limitation on the computer apparatus to which the present application is applied, and a particular computer apparatus may include more or less components than those shown in the drawings, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In the steps implemented by the processor in this embodiment, the implementation principle and technical effect are similar to those of the above-mentioned access authentication method, and are not described herein again.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In the embodiment, the implementation principle and the technical effect of each step implemented when the computer program is executed by the processor are similar to the principle of the access authentication method, and are not described herein again.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In the present embodiment, the implementation principle and technical effect of each step implemented when the computer program is executed by the processor are similar to the principle of the above-mentioned access authentication method, and are not described herein again.
It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, displayed data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), for example. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. An access authentication method, the method comprising:
the first end responds to a handshake request sent by the second end, and the first end executes digital certificate verification operation; the digital certificate verifying operation is used for verifying the legality of a first digital certificate of the first end and a second digital certificate of the second end;
if the first digital certificate and the second digital certificate are both legal, the first end sends an information authentication instruction to the second end, and the information authentication instruction is used for acquiring an access message of the second end;
the first end authenticates the access message;
if the access message passes the authentication, the first end sends a response message of successful authentication to the second end; the response message indicates that data communication is allowed between the first end and the second end.
2. The method of claim 1, wherein the first end performs digital certificate validation operations comprising:
the first end sends the first digital certificate to the second end to indicate the second end to verify the validity of the first digital certificate;
the first end receives a second digital certificate sent by the second end, and the second digital certificate is sent after the second end determines that the first digital certificate is legal;
the first end verifies the legality of the second digital certificate;
and if the validity verification of the second digital certificate passes, the first end determines that the first digital certificate and the second digital certificate are both legal.
3. The method of claim 2, wherein the first end sending a first digital certificate to the second end comprises:
the first end encrypts a first reference digital certificate according to the public key of the second end to obtain the first digital certificate; the first reference digital certificate comprises identity information of the first end;
and sending the first digital certificate to the second terminal.
4. The method according to claim 2 or 3, wherein the first end verifies the validity of the second digital certificate, and comprises:
the first end decrypts the second digital certificate to obtain a second reference digital certificate; the second reference digital certificate comprises an identification and a digital signature of a certificate authority to which the second reference digital certificate belongs;
detecting whether the identification of the authentication center exists in a pre-stored authentication center trust list or not, and verifying the tampering state of the digital signature;
if the identification of the authentication center exists in the trust list of the authentication center and the tampering state of the digital signature is not tampered, detecting whether the second reference digital certificate exists in a revocation list of the authentication center or not;
and if the second reference digital certificate does not exist in the revocation list of the authentication center, determining that the validity of the second digital certificate passes verification.
5. The method according to claim 4, wherein the second reference digital certificate further includes attribute information of the second end; the verifying the tampered state of the digital signature comprises:
the first end acquires a public key of the authentication center and decrypts the digital signature according to the public key of the authentication center to obtain a first hash value;
the first end calculates the attribute information according to a preset hash algorithm to obtain a second hash value;
and if the first hash value is the same as the second hash value, the first end determines that the tampered state of the digital signature is not tampered.
6. The method according to any one of claims 1-3, further comprising:
if the first digital certificate and the second digital certificate are both legal, the first end constructs a connecting channel with the second end; the connection channel comprises a transport protocol between the first end and the second end;
and the first end receives the access message of the second end through the connecting channel.
7. A method according to any of claims 1-3, characterized in that the access message comprises access data and signature data; the second digital certificate comprises a public key of the second digital certificate; the first end authenticates the access packet, including:
the first end decrypts the signature data according to the public key of the second digital certificate to obtain first summary information;
the first end determines a digest extraction mode of the signature data, and extracts the digest of the access data through the digest extraction mode to obtain second digest information;
and comparing the first abstract information with the second abstract information, and if the first abstract information is the same as the second abstract information, determining that the access message passes the authentication by the first end.
8. A method according to any of claims 1-3, characterized in that the access message comprises access data and cyclic redundancy check data; the second digital certificate comprises a public key of the second digital certificate; the first end authenticates the access packet, including:
the first end decrypts the cyclic redundancy check data according to the public key of the second digital certificate to obtain a first cyclic redundancy check value;
the first end calculates the access data according to a preset check value generation method to obtain a second cyclic redundancy check value;
and comparing the first cyclic redundancy check value with the second cyclic redundancy check value, and if the first cyclic redundancy check value is the same as the second cyclic redundancy check value, the first end determines that the access message passes the authentication.
9. An access authentication apparatus, the apparatus comprising:
the authentication module is used for responding to a handshake request sent by the second end by the first end, and the first end executes digital certificate authentication operation; the digital certificate verifying operation is used for verifying the validity of a first digital certificate of the first end and a second digital certificate of the second end;
a first sending module, configured to send, by the first end, an information authentication instruction to the second end if the first digital certificate and the second digital certificate are both legal, where the information authentication instruction is used to obtain an access packet of the second end;
the authentication module is used for authenticating the access message by the first end;
the second sending module is used for sending a response message of successful authentication to the second end by the first end if the access message passes the authentication; the response message indicates that data communication is allowed between the first end and the second end.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210373051.3A CN114745180A (en) | 2022-04-11 | 2022-04-11 | Access authentication method and device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210373051.3A CN114745180A (en) | 2022-04-11 | 2022-04-11 | Access authentication method and device and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114745180A true CN114745180A (en) | 2022-07-12 |
Family
ID=82281357
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210373051.3A Pending CN114745180A (en) | 2022-04-11 | 2022-04-11 | Access authentication method and device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745180A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116865947A (en) * | 2023-07-11 | 2023-10-10 | 苏州大学 | Block chain storage method based on linear coding |
| WO2024138322A1 (en) * | 2022-12-26 | 2024-07-04 | 京东方科技集团股份有限公司 | Processor, information authentication system and information authentication method |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050138351A1 (en) * | 2003-12-23 | 2005-06-23 | Lee Sok J. | Server authentication verification method on user terminal at the time of extensible authentication protocol authentication for Internet access |
| CN101853369A (en) * | 2010-04-01 | 2010-10-06 | 西北工业大学 | Random Harsh based two-way authentication method |
| CN106487511A (en) * | 2015-08-27 | 2017-03-08 | 阿里巴巴集团控股有限公司 | Identity identifying method and device |
| CN107360125A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method, WAP and user terminal |
| CN110061991A (en) * | 2019-04-22 | 2019-07-26 | 陈喆 | A kind of gateway setting method for realizing expressway tol lcollection private network security access internet |
| WO2020186827A1 (en) * | 2019-03-21 | 2020-09-24 | 深圳壹账通智能科技有限公司 | User authentication method and apparatus, computer device and computer-readable storage medium |
| US20210184869A1 (en) * | 2019-12-17 | 2021-06-17 | Microchip Technology Incorporated | Mutual authentication protocol for systems with low-throughput communication links, and devices for performing the same |
| CN113242235A (en) * | 2021-05-08 | 2021-08-10 | 卡斯柯信号有限公司 | System and method for encrypting and authenticating railway signal secure communication protocol RSSP-I |
| CN113596046A (en) * | 2021-08-03 | 2021-11-02 | 中电金信软件有限公司 | Bidirectional authentication method and device |
| CN113709109A (en) * | 2021-07-27 | 2021-11-26 | 云南昆钢电子信息科技有限公司 | Safety system and method based on cloud end and edge end data exchange |
-
2022
- 2022-04-11 CN CN202210373051.3A patent/CN114745180A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050138351A1 (en) * | 2003-12-23 | 2005-06-23 | Lee Sok J. | Server authentication verification method on user terminal at the time of extensible authentication protocol authentication for Internet access |
| CN101853369A (en) * | 2010-04-01 | 2010-10-06 | 西北工业大学 | Random Harsh based two-way authentication method |
| CN106487511A (en) * | 2015-08-27 | 2017-03-08 | 阿里巴巴集团控股有限公司 | Identity identifying method and device |
| CN107360125A (en) * | 2016-05-10 | 2017-11-17 | 普天信息技术有限公司 | Access authentication method, WAP and user terminal |
| WO2020186827A1 (en) * | 2019-03-21 | 2020-09-24 | 深圳壹账通智能科技有限公司 | User authentication method and apparatus, computer device and computer-readable storage medium |
| CN110061991A (en) * | 2019-04-22 | 2019-07-26 | 陈喆 | A kind of gateway setting method for realizing expressway tol lcollection private network security access internet |
| US20210184869A1 (en) * | 2019-12-17 | 2021-06-17 | Microchip Technology Incorporated | Mutual authentication protocol for systems with low-throughput communication links, and devices for performing the same |
| CN113242235A (en) * | 2021-05-08 | 2021-08-10 | 卡斯柯信号有限公司 | System and method for encrypting and authenticating railway signal secure communication protocol RSSP-I |
| CN113709109A (en) * | 2021-07-27 | 2021-11-26 | 云南昆钢电子信息科技有限公司 | Safety system and method based on cloud end and edge end data exchange |
| CN113596046A (en) * | 2021-08-03 | 2021-11-02 | 中电金信软件有限公司 | Bidirectional authentication method and device |
Non-Patent Citations (1)
| Title |
|---|
| 刘克成,张凌晓: "《大学计算机基础》", 15 August 2007, 北京:中国铁道出版社, pages: 301 - 304 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024138322A1 (en) * | 2022-12-26 | 2024-07-04 | 京东方科技集团股份有限公司 | Processor, information authentication system and information authentication method |
| CN116865947A (en) * | 2023-07-11 | 2023-10-10 | 苏州大学 | Block chain storage method based on linear coding |
| CN116865947B (en) * | 2023-07-11 | 2024-08-02 | 苏州大学 | Block chain storage method based on linear coding |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111953705B (en) | Internet of things identity authentication method and device and power Internet of things identity authentication system | |
| CN103051453B (en) | A kind of mobile terminal network affaris safety trade system based on digital certificate and method | |
| CN111556025A (en) | Data transmission method, system and computer equipment based on encryption and decryption operations | |
| CN111614621B (en) | Internet of things communication method and system | |
| CN111552270B (en) | Safety authentication and data transmission method and device for vehicle-mounted diagnosis | |
| CN103107996A (en) | On-line download method and system of digital certificate and digital certificate issuing platform | |
| CN104038486A (en) | System and method for realizing user login identification based on identification type codes | |
| CN114745180A (en) | Access authentication method and device and computer equipment | |
| CN112165386B (en) | Data encryption method and system based on ECDSA | |
| CN105610773A (en) | Communication encryption method of electric energy meter remote meter reading | |
| CN112417494A (en) | Power block chain system based on trusted computing | |
| CN105281910A (en) | Internet of things lock with CA digital certificate serving as network access identity identifier and network access identity identification method | |
| CN111147257A (en) | Identity authentication and information confidentiality method, monitoring center and remote terminal unit | |
| CN107566393A (en) | A kind of dynamic rights checking system and method based on trust certificate | |
| WO2022135391A1 (en) | Identity authentication method and apparatus, and storage medium, program and program product | |
| CN114422266A (en) | IDaaS system based on dual verification mechanism | |
| CN114331456A (en) | Communication method, device, system and readable storage medium | |
| CN114696999A (en) | Identity authentication method and device | |
| CN111245611B (en) | Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment | |
| CN114760026A (en) | Identity authentication method and device | |
| Yoon et al. | Security enhancement scheme for mobile device using H/W cryptographic module | |
| CN113676330B (en) | Digital certificate application system and method based on secondary secret key | |
| KR101256114B1 (en) | Message authentication code test method and system of many mac testserver | |
| CN106022140B (en) | Identity card read method and system | |
| CN116318637A (en) | Method and system for secure network access communication of equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |